Thursday, March 17, 2016

In summary, this blog post is about Payoneer not offering two-step authentication for its members despite numerous requests.

As of March 17, 2016, Payoneer, a world-renowned company with more than 3 million customers, does not offer a two-step authentication protection for its members.

Founded in 2005, Payoneer provides financial services and online money transfer services worldwide. It is available in more than 200 countries and supports more than 150 currencies.

Payoneer's concept is simple: you get an international credit card from Payoneer that allows you to get paid from any valuable american company. You will be able to use the credit card literally on any ATM machine anywhere in the world and withdraw the funds. You don't have to deal with banks, their headaches and contracts.

Payoneer had extreme success in the past and recently posted those stats on their website:

After massive success and being 10 years in business, the security department at Payoneer still doesn't get it: two-step authentication matters; all large and small tech giants include it such as: Apple, Amazon, Google, Amazon, Microsoft, etc...

Apparently, Payoneer is not aware that it is a company that handles financial accounts, not a social media accounts. Would thieves and hackers be interested to hack or hijack a simple social media account or a financial account that lets you gain access to a decent amount of cash?

Here goes my first criticism for Payoneer, besides no 2 factor authentication being available, I find it unbelievable that a company processing payments will not allow me to use special characters in my password, only letters and numbers are allowed, this will greatly help malicious hackers trying to break into my account using a brute force attack.

What Payoneer doesn't understand is that is not difficult to get to know someone's password, whether be it: installing some spyware on the victim's machine, standing behind the victim while s/he types the password, or any type security vulnerability in the service's website and database. In addition to that, Payoneer does not force members to add characters in their passwords.

The community has been asking for this feature since forever, for example: